ad-detector icon indicating copy to clipboard operation
ad-detector copied to clipboard

Published 20 hours ago verified publisher icon typpo

Make it possible to update rules without releasing a new version.

Open typpo opened this issue 10 years ago • 5 comments

The extension should occasionally retrieve updated rules from a server.

Some people may not like the idea of a server updating their rules arbitrarily, so this will have to be done carefully and correctly.

typpo avatar Aug 14 '14 22:08 typpo

I think Ghostery handles this reasonably well with their weekly updated tracker lists with an "Auto Update" option. https://www.ghostery.com/en/help/firefox

dtran320 avatar Aug 14 '14 22:08 dtran320

Is this necessary for Chrome version? https://developer.chrome.com/extensions/autoupdate

dsernst avatar Aug 16 '14 00:08 dsernst

@dsernst, as much as people “may not like the idea of a server updating their rules” those same people are very likely to be wary of autoupdates too. Especially with a whole market for buying extensions and injecting them with ads/malware.

The biggest security problem with AdDetector’s rules the way they are now is that you will be importing JavaScript code that needs to be executed. This is why a system like Ghostery’s or Disconnect’s cannot be compared. They pass a list of text that needs to be parsed by the add-on. If someone sends you a fake update all they could do is unblock ads or block non-ads and confuse you. If someone sends AdDetector a fake rules.js they get to execute JavaScript code through the extension and can do anything the browser allows them (injecting ads, scraping your email, …).

Could the rules be converted to something like XPath queries? Unlike CSS selectors these would allow to match text contents as necessary for things like BuzzFeed’s match function and most of the getSponsor functions.

Zegnat avatar Aug 16 '14 22:08 Zegnat

Haven't looked at the code/rules much, but I've done something along the lines of what Zegnat suggested. We'd have a bunch of selector methods in the source, and configure a list of method names with arguments for each website. This wasn't public or in javascript, so I can't speak to security implications.

ashrestha91 avatar Aug 18 '14 21:08 ashrestha91

I'm actually really interested in using such a list of rules for another (non-javascript) project. Is there any appetite for converting the rules to a purely data form (like Zegnat suggested)? Looking through the current rules, the match functions mostly look easy enough to convert... This buys you auto-updating without downloading javascript, and it also makes the rules available to a larger community...

bcampbell avatar Oct 22 '15 08:10 bcampbell